Detecting Misconfigurations
Table of Contents
- Prerequisites
- Misconfigurations in Container Images
- Misconfigurations in Kubernetes
- Misconfigurations in Infra as Code
- CI Integration with Github Action
Prerequisites
Before you begin, you need the following software:
- A Linux, stand-alone virtual machine (VM)
- Trivy command-line tool. Installation steps here
- Tfsec command-line tool. Installation steps here
Misconfigurations in Container Images
To find missconfiguration in the dockerfiles, use trivy config .
A sample with a dockerfile with missconfiguration, and after fixed it.
Sample repository used here
Misconfigurations in Kubernetes
trivy config .
Show results
</br>
Misconfigurations in Infra as Code
Terraform
Using tfsec in Terraform manifests
tfsec .
Show results
``` WARNING: Failed to load module: missing module with source 'terraform-aws-modules/security-group/aws' - try to 'terraform init' first WARNING: Failed to load module: missing module with source 'terraform-aws-modules/ec2-instance/aws' - try to 'terraform init' first WARNING: Failed to load module: missing module with source 'terraform-aws-modules/s3-bucket/aws' - try to 'terraform init' first Result 1 [aws-kms-auto-rotate-keys][MEDIUM] Resource 'aws_kms_key.this' does not have KMS Key auto-rotation enabled. /Users/krol/workspace/github/infra-code-tf/app-ec2/main.tf:79-80 76 | tags = local.tags 77 | } 78 | 79 | resource "aws_kms_key" "this" { 80 | } 81 | 82 | resource "aws_network_interface" "this" { 83 | count = 1 Legacy ID: AWS019 Impact: Long life KMS keys increase the attack surface when compromised Resolution: Configure KMS key to auto rotate More Info: - https://tfsec.dev/docs/aws/kms/auto-rotate-keys#aws/kms - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation - https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html times ------------------------------------------ disk i/o 31.415294ms parsing HCL 27.395µs evaluating values 427.268µs running checks 2.329946ms counts ------------------------------------------ files loaded 7 blocks 21 modules 0 results ------------------------------------------ critical 0 high 0 medium 1 low 0 ignored 0 1 potential problems detected. ```</br>
Using trivy
trivy conf .
Show results
``` WARNING: Failed to load module: missing module with source 'terraform-aws-modules/security-group/aws' - try to 'terraform init' first WARNING: Failed to load module: missing module with source 'terraform-aws-modules/ec2-instance/aws' - try to 'terraform init' first WARNING: Failed to load module: missing module with source 'terraform-aws-modules/s3-bucket/aws' - try to 'terraform init' first 2021-10-27T22:44:28.692-0300 INFO Detected config files: 4 app-ec2/main.tf (terraform) =========================== Tests: 14 (SUCCESSES: 13, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) +------------------------------------------+--------------+------------------------------------------+----------+----------------------------------------------------+ | TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE | +------------------------------------------+--------------+------------------------------------------+----------+----------------------------------------------------+ | Terraform Security Check powered by | AVD-AWS-0065 | A KMS key is not configured to | MEDIUM | Resource 'aws_kms_key.this' does not | | tfsec | | auto-rotate. | | have KMS Key auto-rotation enabled. | | | | | | -->tfsec.dev/docs/aws/kms/auto-rotate-keys#aws/kms | +------------------------------------------+--------------+------------------------------------------+----------+----------------------------------------------------+ app-ec2/variables.tf (terraform) ================================ Tests: 8 (SUCCESSES: 8, FAILURES: 0, EXCEPTIONS: 0) Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) site-s3/main.tf (terraform) =========================== Tests: 5 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 0) Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) site-s3/variables.tf (terraform) ================================ Tests: 2 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 0) Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) ```</br>
CloudFormation
trivy conf .
Show results
``` trivy conf . WARNING: Failed to load module: missing module with source 'terraform-aws-modules/s3-bucket/aws' - try to 'terraform init' first 2021-11-25T13:49:04.581-0300 INFO Detected config files: 4 cf-sample.yaml (cloudformation) =============================== Tests: 11 (SUCCESSES: 4, FAILURES: 7, EXCEPTIONS: 0) Failures: 7 (UNKNOWN: 0, LOW: 3, MEDIUM: 0, HIGH: 4, CRITICAL: 0) +------------------------------------------+--------------+------------------------------------------+----------+------------------------------------------+ | TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE | +------------------------------------------+--------------+------------------------------------------+----------+------------------------------------------+ | Cloudformation Security Check powered by | AVD-AWS-0009 | Launch configuration should not have a | HIGH | Launch configuration associates public | | cfsec | | public IP address. | | IP address. | + +--------------+------------------------------------------+----------+------------------------------------------+ | | AVD-AWS-0017 | CloudWatch log groups should be | LOW | Log group is not encrypted. | | | | encrypted using CMK | | | + +--------------+------------------------------------------+----------+------------------------------------------+ | | AVD-AWS-0057 | IAM policy should avoid use of wildcards | HIGH | IAM policy document uses wildcarded | | | | and instead apply the principle of least | | resource for sensitive action(s). | | | | privilege | | | + + + + + + | | | | | | | | | | | | | | | | | | + + + + + + | | | | | | | | | | | | | | | | | | + +--------------+------------------------------------------+----------+------------------------------------------+ | | AVD-AWS-0099 | Missing description for security group | LOW | Security group rule does not have a | | | | rule. | | description. | + + + + + + | | | | | | | | | | | | +------------------------------------------+--------------+------------------------------------------+----------+------------------------------------------+ ```</br>
CI Integration
Tfsec Sarif Result
Trivy Result
Tfsec PR Commenter Result
More details about Trivy vs Tfsec